EUVD-2026-14523CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Description
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In version 2.28.0, when deleting a Tag (tag_delete.php), improper escaping of its name when displaying the confirmation message allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript. Version 2.28.1 fixes the issue. Workarounds include reverting commit d6890320752ecf37bd74d11fe14fe7dc12335be9 and/or manually editing language files to remove the sprintf placeholder `%1$s` from `$s_tag_delete_message` string.
Analysis
MantisBT version 2.28.0 contains a Stored/Reflected Cross-Site Scripting (XSS) vulnerability in the tag deletion confirmation dialog (tag_delete.php) due to improper HTML escaping of tag names in the confirmation message. An authenticated attacker can inject malicious HTML and JavaScript code that executes in the browser of any user viewing the confirmation page, potentially leading to session hijacking, credential theft, or malware distribution. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 7 days: Identify all affected systems and apply vendor patches promptly. Verify anti-CSRF tokens and content security policies are enforced.
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| (unstable) | fixed | (unfixed) | - |
Share
External POC / Exploit Code
Leaving vuln.today